WD: What to Do If You Have a Macro Virus

ID: Q134727

The information in this article applies to:
  • Microsoft Word for Windows, versions 6.0, 6.0a, 6.0c
  • Microsoft Word for Windows 95, versions 7.0, 7.0a
  • Microsoft Word for Windows NT, version 6.0
  • Microsoft Word for the Macintosh, versions 6.0, 6.0.1

SYMPTOMS

The first macro virus was discovered in the summer of 1995. Since that time, other macro viruses have appeared. This article describes what to do if you think you might have a Word macro virus, or if you want to ensure that your documents never become infected with one.

The following are some symptoms of a Word macro virus that are known to affect Word and Word documents:

  • When you try to save a document, Word only lets you save the document as a template.

    -or-


  • The icon for the file looks like a template rather than a document.

    -or-


  • When you open a document, a dialog box showing the number 1 appears.

    -or-


  • New macros appear in the list of macros. AutoOpen and FileSaveAs macros may also appear; if you already had macros by these names, their content may have been changed by the macro virus.

    -or-


  • The Winword6.ini file contains the following line: 
    
ww6=1
    -or-


  • Unusual or unexpected messages appear when you open a Word document or template.



RESOLUTION

To protect your existing and future documents from Word macro viruses, you must install software that is specifically designed to detect and remove macro viruses.

For information on anti-virus software vendors, including a list software capable of detecting and preventing macro viruses, please see the following article in the Microsoft Knowledge Base:

Q49500 Anti-Virus Software Vendors


WORKAROUND

Use the following workarounds as interim solutions only.

NOTES:

  • Word version 7.0a for Windows 95, and the Macro Virus Protection Tool are designed to alert you if you open a file that contains macros, regardless of what the macros do. For a permanent solution, you must use anti-virus software that is specifically designed to detect and prevent macro viruses.


  • Word 7.0a doesn't look for or remove any macro viruses from existing documents and templates. It will simply warn you if the document you are opening contains macros. The warning lets you either open the document with the macros active or open it with the macros disabled. You should not open a document with the macros active unless you are absolutely sure that the document contains no harmful macro viruses.


  • The Macro Virus Protection Tool (available for Word 6.0 users only) includes the ability to look for Word files that contain the Concept Virus and to remove the Concept Virus if it is found. However, it looks ONLY for the Concept Virus and not for any other type of macro virus. Since the development of the Macro Virus Protection Tool, many other macro viruses have been discovered, and the tool is not capable of searching for these viruses.


For a long-term solution to macro viruses, install anti-virus software that is specifically designed to detect macro viruses. For information on anti- virus software vendors, including software capable of detecting and preventing macro viruses, please see the following article in the Microsoft Knowledge Base:
Q49500 Anti-Virus Software Vendors

Method 1: Upgrade to Word 7.0a, Word 97, or Word 98 Macintosh Edition

Windows:

If you are using Word for Windows 95 version 7.0, obtain Word version 7.0a. Version 7.0a alerts you if you try to open a file that contains macros. If you are using any version of Word for Windows earlier than Word 95, upgrade to Word 97 for Windows.

Macintosh:

If you are using version 6.0, 6.0.1, or 6.0.1a, upgrade to Microsoft Word 98 Macintosh Edition.

To obtain pre-sales information about new or updated Microsoft products, call the Microsoft Sales Information Center at (800) 426-9400. If you are outside the United States, contact the Microsoft subsidiary for your area. To locate your subsidiary, see the Microsoft World Wide Offices Web site at:
http://www.microsoft.com/worldwide/default.htm

Method 2: Obtain the "Macro Virus Protection Tool"

If you are using Word version 6.x (for Windows or Macintosh), obtain the Microsoft Application Note titled "Macro Virus Protection Tool." The Word for Windows version is WD1215, and the Word for the Macintosh version is MW1222.

These Application Notes contain a tool called Scanprot.dot that alerts you if you try to open a file that contains macros. It does not clean the macros from your system.

For more information about how to obtain these Application Notes, please see the following articles in the Microsoft Knowledge Base:
Q134728 WD1215: "Macro Virus Protection Tool" for Word for Windows

Q133895 MW1222: "Macro Virus Protection Tool" for Word for the Macintosh
The "Macro Virus Protection Tool" will install the following macros in your Normal (Normal.dot) template: AutoExit, FileOpen, InstVer, and ShellOpen.

Method 3: Press SHIFT When You Open a File

If you do not have any of the symptoms described in this article, but you do not want to be affected by a macro virus, hold down the SHIFT key when you open a file that might be affected by a macro virus. Pressing SHIFT will prevent any Auto macros from being run; if a macro virus is present, it will not be loaded.

Method 4: Delete the Macro and Recover the Document

If you have experienced the symptoms listed in this article, or if you suspect that you have a macro virus that is not described here, use the following steps to remove the offending macros and correct affected documents. (Remember, this is only a temporary solution; because new macros are being created, these steps may not work):

  1. Close Word and rename the Normal.dot file to Normal.xxx (Windows) or move Normal to the desktop.


  2. Make a back-up copy of an affected file.


  3. Open Word.


  4. On the File menu click Open.


  5. Navigate to the folder containing the affected file.


  6. Click to select the affected file.


  7. Press and hold the SHIFT key and click Open.

    Continue to hold the SHIFT key until the affected file is open in Word.

    NOTE: Holding the SHIFT key while opening a file keeps any automatic macros from running.


  8. To remove suspect virus containing macros, follow the steps below:


    1. On the Tools menu, click Macro.


    2. In the Macros Available In list, click All Active Templates.


    3. Select the suspect macro and click Delete. Click Yes.


    4. Repeat step c for all suspect macros.


    5. Click Close.


  9. To recover the text of an infected document:


    1. Select the entire document by pressing CTRL+A (Windows) or COMMAND+A (Macintosh), or by clicking Select All on the Edit menu.


    2. Do not include the final paragraph mark from the selection by pressing SHIFT+LEFT ARROW.


    3. On the Edit menu, click Copy.


    4. On the File menu, click New. Select the template you want to use, and click OK.


    5. On the Edit menu, click Paste.


    6. Repeat step 8 to ensure that the virus containing macros have not again replicated.


    7. Save the document.


  10. Repeat these steps for any document you think may contain a macro virus.


NOTE: If this method does not work, try Method 5.

Method 5: Using the Organizer to Temporarily Clean Up Macro Viruses

Use the Organizer to clean up the macro virus. Keep in mind that if other files were opened after the infected file, they most likely will be infected as well.

To remove the virus from the Normal template, follow these steps:

  1. Close all documents. If an infected document is open, it can easily reinfect Normal.dot (Windows) or Normal (Macintosh).


  2. On the File menu, click Templates, and click the Organizer button.


  3. Select the Macros tab. Rename or delete all of the following macros:


    4. AutoClose
    AutoExec
    AutoOpen
    FileExit
    FileNew
    FileOpen
    FileSave
    FileSaveAs
    Macros
    ToolsMacro
  4. Close the Organizer.


  5. On the File menu, click Save All to save the template.


To remove the virus from infected documents:

If a file is infected, use this method, but remove the macros from both the Normal template and also from the infected document (template) while in the Organizer. When you are done, click the File menu and click Save All and move on to the next file. Keep in mind that every time you open an infected file it will infect your Normal template, so you constantly need to remove the macros from the Normal template.

Method 6: Insert the File into a New Document

With this method, you will need to rename Normal.dot (Windows) or move Normal to the Desktop (Macintosh) and then on the Insert menu, click File to temporarily remove the macros. This method is particularly useful with the macro virus called "CAP" which removes Macro and Customize from the Tools menu.

NOTE: In this situation, the Templates command (Word 6.x and 7.x) may not work.

To insert the file into a new document, follow these steps:

  1. Close Word and rename the Normal.dot file to Name.dot (Windows) or move Normal to the Desktop (Macintosh).


  2. Open Word and verify that Macro And Customize are on the Tools menu.


  3. Open a new document. On the Insert menu, click File.


  4. Navigate to the folder containing the affected file.


  5. Click to select the affected file.


  6. Press and hold the SHIFT key and click Open.

    Continue to hold the SHIFT key until the affected file is open in Word.

    NOTE: Holding the SHIFT key while opening a file keeps any of Words automatic macros from running.


  7. To see if there are any macros in the new document (there should not be any listed), click Macro on the Tools menu. In the Macros Available In list, click All Active Templates.


  8. Save the file with a different file name.


  9. Delete the infected file.



MORE INFORMATION

A macro virus is a program written in the macro language of a program, like Word. It propagates itself among data files and can harm your files or your computer's operating system.

Word macro viruses do not travel freely over the Internet or any other media; they can only be transferred when a user opens a document or template that contains the virus macro.

Microsoft Internet Assistant and documents created or read by it cannot be affected by such macros. Internet Assistant, by design, blocks the mechanism that distributes the macro virus.

Macro viruses cannot be transferred by WordMail unless an affected document is embedded in the e-mail message and the receiver opens the document.

Additional query words: virus disinfect protect protected corporate infect protection normal.dot saving opening saveas nuclear DMV prank concept WordBasic

Keywords : kbtshoot wordnt word8 winword word97 ntword macword word6 word7 word95
Version : MACINTOSH:6.0,6.0.1; WINDOWS:6.0,6.0a,6.0c,7.0,7.0a; winnt:6.0
Platform : MACINTOSH WINDOWS winnt
Issue type :


Last Reviewed: September 14, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.